(tech) people tend to laugh at me/pull the tinfoil hat card for putting my dlink/iot stuff behind a very restrictive, dedicated, iptables filtered, hostapd based custom network running on my pi zero w that isn’t allowed to talk to the home network or internet at all.
As mentioned by others, I guess it really needs severe identity theft/abuse with vital services until people realize that today‘s IoT 'plug & play' is worse than than the level of 'plug & pray' we‘ve seen in the early PCI/USB/Win98 era (that only impacted your local device functionality).
I've recently put some time in setting up zigbee2mqtt (http://www.zigbee2mqtt.io/) which lets you use all these smart home things without their proprietary hubs. So I can use all the chinese smart home stuff, without needing to use their hub, so no risk in it phoning home.
It takes some work to get going, but it's amazing. Cheaper (no need to buy all those different hubs), more flexible (you can use node-red or any programming language to do exactly what you want), and way more secure (nothing leaves your home network unless you want it to).
As others have mentioned VLAN is an opt-in step and requires support from the hardware.
I also DONT want those devices to be able to connect to the internet: I have a D-Link webcam that has (had?) some issues around being exploitable remotely via the MyDLink or whatever it‘s called service. I don’t want to have (more) devices sitting in my network that open it up from the inside.
Also I need my guests should be able to access the internet without me having to whitelist their MAC address.
Yeah, what dborham wrote: most people wouldn't know a VLAN if it bit them on the nose, but if your your router automatically created the SSID "foo-devices" to go alongside your regular "foo" people might use it.
Like the "offer a guest network" button which, now I think of it, might already be enough.
Do you have any resources you can point to on how you went about setting this up? I tried setting up a VLan or something with little success. I'm running DDWRT but any sort of firewalling or subnetting is outside my comfort zone
It‘s mostly a blend of many different tutorials/blog posts/forums on hostapd, raspbian, dnsmasq and the likes.
I took notes during both times when I set this up (first time the sdcard died shortly after, no backup of sorts; second time some changes in drivers, raspbian lite and other tooling were different so I had to start over).
I thought this project would make a good first blog post, maybe I can gist some steps / bullet points next week or so.
Do you allow inbound traffic from your home network to your IoT network in order to control IoT devices or do you have to switch WLAN connection when you want to do so?
"I" of IoT literally means internet. How does barring your IoT devices from communicating over the Internet make sense? Wouldn't it make total sense to get rid of all your IoT devices instead?
> a misconfigured and Internet-facing Elasticsearch database without a password." If this wasn't bad enough, a Kibana web-based app, there to make navigating through the data easier, had no password protection.
That's not even really 'exposed in breach', that's just 'exposed'.
I think in some sense having an admin interface exposed as well as the admin API is 'worse'.
I completely agree that it doesn't make it less secure, but it does make it more.. 'oh come on'. I mean, nobody who was using it legitimately realised?
If megacorp #246 decide to use a free software I'm inclined to think they have more than enough money to pay engineers to secure it. It's not rocket science.
It's like installing a mysql db and leaving the root password blank because "welp it's the default config".
> they have more than enough money to pay engineers to secure it
But they usually don't want to. It usually goes like that: we need some internal tool to do stats. All our people are busy on other projects. Let's get an intern to do that.
At least government should mandate all the manufacturers to disable all the default passwords. It's simply a good practice, we're not even talking about security loopholes on the device itself.
If the functionality of your home depends on a privately owned, 3rd-party server, then I'd say it very much highlights the potential risks of IoT devices / applications.
The backend component is just as important as the endpoint component. Pretending that IoT is one or the other, but not both is one of the biggest security root causes.
IMHO more disturbing than the lack of security is the fact that people will willingly put these products in their house that phone home to a central database.
I'm not into the whole IoT thing but if I really had a need to control something from anywhere on the Internet, it would not rely on a centralised third-party service.
>It's unknown if anyone has taken advantage of the vulnerability (yet) and, as of July 1, the database was still accessible with no password protection.
And this article had been published today... The database had been closed a day later on July 2.
It most certainly has been taken advantage of. Bots crawl the internet checking for services on default ports without a password.
I was an victim of this recently when I got reports that my web app was down and when I investigated it I saw there was a password on redis preventing the app from connecting. I then found out the redis docker container was accepting connections from the outer internet with no password and someone had connected in and set a password on it (Probably just to alert me to the fact it was exposed). Thankfully there was basically nothing in redis so no user data was exposed.
The Twitter account "internet of shit" tracks these sort of things.
Mark my words, eventually the world is going to see some sort of Fukushima scale internet of shit disaster caused by poor security/architecture. I'm not sure what form it will take, maybe mass pwnage of a device as commonplace as Amazon echo or Google home, but it will be bad.
Agreed. We're putting devices that needs to be highly secured, ideally network separated in the hands of normal people. People who either don't know that they should updated their routers, or simply don't care.
At the same time, IoT devices are being sold by companies who think that a 10 years support cycle is "a long time" and who frequently will drop support for devices when new models are released. The same companies often have terrible models for customer support.
I was at a presentation of Microsofts Azure Sphere OS. The presenter proudly proclaimed that they would have 10 year support cycle. Apparently I was the only one in the audience who felt that 10 years is at least 5 years short of what is needed.
10 years is probably longer than most of these iot companies have been around. Most of these devices probably get 1 year updates max before support being dropped.
We have had it already, several times over but people dont care. Once it is something big enough (like I now own your house or bank account) people will care, although big bank and government will protect us surely...
I don't think we've really had "the big one" yet, it's going to be something like several years of recorded private audio conversations from the interiors of luxury cars being dumped, or every amazon echo on the planet simultaneously playing 'fuck the police' by NWA.
Does facebook user data getting sent to a 3rd party to manipulate elections big enough? IoT devices are regularly being used to DDoS major internet services.
If it's rogue hackers making the movements, I'm imagining massive coordinated botnet attacks against a series of targets to fail the legs of a larger system, with intentions of hitting a bigger prize target.
If used by government actors, I imagine they'd use it every opportunity they could.
For personal data leaking out, the rise of various far right movements comes to mind. Once a party takes total control and wants to get rid of dissidents, these data troves are even more valuable than census data was to the Nazis.
Separately, I worry about smart devices that could be used to cause electrical fires, leaks, etc at scale. Triggering many devices in a target area to do some activity that sparks even small fires allows you a decent chance of creating large fires fairly easily without a single troop hitting the ground or firing a single bullet. With the impact we saw from the Camp Fire, the government's current... issues... Etc., that's terrifying.
If you're researching internet-facing setups of anything, shodan is an excellent resource. You'll still have to actually investigate and sample the data from the discovered locations, but that's where even rudimentary tooling comes along.
Likely explanation for this type of discovery would be either internet wide scans of known services or happening across these servers while reverse-engineering an app / protocol related to the specific service. The former seems to be the case here, as the authors refer to some of their "web-mapping" efforts in the last paragraph and have previously published similar findings [1, 2] they discovered through the same process. You can get starting points for probing into this as a service from places like [3] if you don't want to perform the scan on your own infrastructure - although the tools for this became insanely accessible over the last few years (at least for IPv4 coverage).
Does brute forcing still work these days? I thought the wild-west free-for-all scanning days would have ended, as ISPs (or someone in the routing chain) would block such attempts? I haven't tried since the 90s because I'm slightly paranoid about being classified as an evil hacker. Somewhat relatedly, my bank recently wouldn't let me login (cryptic error message) because they started using a "trusted IP scanner service" in the UK which had marked me as a proxy, probably because I was running a Tor Relay last year. I had to send multiple unblock requests, all of which were denied with canned responses that no, they won't reclassify my IP. Only when I mentioned that I couldn't login to my bank account did they finally unblock me. Point of my story is that it sure feels like more gatekeepers are being implemented to stop "nefarious" operations.
The thing about standard practices is that they don't come as standard. For every 10 fort knox, there's at least one place with the side door left ajar. You only hear about those instances when a hack makes the news in a sort of reverse survivorship bias
So you're saying I could brute force scan IPs for vulnerabilities and won't have to worry about being denied access by e.g. my ISP, CloudFlare, AWS, etc?
> The information in the database belonged to Orvibo
Would things meaningfully become more secure if we had a legal framework under which the information in the database belonged to each consumer? Or would a simple click-through license make that moot?
Does anyone know a decent tutorial or explanation, how to "secure" one's network with IoT devices in it?
For instance, all my lights are controlled using IKEA's TRÅDFRI solution. Also, they are integrated into my own HomeAssistant instance (dockerized), which runs on my Unraid machine, which also hosts my data shares. Then we have FireTV's, Echo's, we have a Xiaomi vacuum robot, and so on. The FireTV should be able to access the data shares for playing back movies. Alexa can control our lights, too.
I'm still struggeling to find a "one size fits all" solution.
For starters, connect these devices only to a separate network, either physical or VLAN, to make sure they cannot directly reach the devices you manage yourself.
Make sure the devices cannot see things in the physical world that you do not want to leak. Do not point a networked camera onto your sleeping room if you don’t want others to see inside.
Then, take effort so the devices that need to reach the devices that contain your own data are only allowed access you choose. A set top box may need to read your movies but does not need write access. It does not need unfettered access to your home network. You may be able to grant it access your shares but not the internet.
And buy reputable stuff, although the S in IoT is for security and that goes for all devices, some get more support and care than others.
And be careful with switches. You also (at least ideally) want switches which don't expose their own management interface to your isolated VLAN (usually this is called 'management VLAN' as a feature description). My experience is that of the consumer level 'Web managed' switches, only the dlink ones do this.
Correct me if I'm wrong but isn't vanilla Elasticsearch open and insecure by default? and password/token security features are only available in some paid tier?
How significant is the "two billion records" figure? According to the article, the affected smart-home provider mereley "claims to have more than a million users around the world". So presumably this database contains a lot of redundant information?
Most likely not very significant, they probably got the 2 billion records as a upper bound, considering the amount of junk data they likely have in the db, I think its just an overblown news story.
I have never setup Elasticsearch or Kibana mysslf, but is the setup process secure-by-default? i.e. generate a random password or key by default, and then you have to go out of your way to unsecure it?
I'd be hard pressed for blaming them tbh. I think the reasoning is that these are internal services you should put behind whatever measures you have put in place anyway and not expose otherwise. While the previous comment is technically correct about being unsecure by default, they also don't listen to the outside world (see [1], network.host) by default. I've always thought that makes sense for elastic tbh, security isn't their core business so by leaving that part up to you they avoid screwing it up.
The same could be said about MySQL - but even that switched to entering a root password and disallowing root login, as well as not binding to any network interfaces until explicitly configured to do so. Of course this can all be overridden with simple config changes but it's relatively "secure by default".
Email access, people watching meh... I doubt they see something they don’t do themselves, access to email however is way more information and a gateway to more (online) access (probably including gaining access to cams)
As mentioned by others, I guess it really needs severe identity theft/abuse with vital services until people realize that today‘s IoT 'plug & play' is worse than than the level of 'plug & pray' we‘ve seen in the early PCI/USB/Win98 era (that only impacted your local device functionality).